Personal Health Information & Privacy

Privacy is a sensitive, complex area in health care. As the volume and types of data being collected, used and disclosed have grown, regulatory and legal requirements have expanded. It’s key to have practical, industry-savvy advice to help your organization protect the privacy of patient and client information and comply with legal obligations.

Our health care practice is at the forefront of privacy and access to information law. Long before there were health information protection laws, we were advising health sector clients on health information confidentiality.

We have proven expertise with the privacy, information security, and access to information laws governing health information across the health care sector.

Our services include:

advising on the purchase, implementation and use of electronic health information systems and on data-sharing agreements between and among health care institutions
expertise in the procurement and integration of health information systems
developing policies, procedures and agreements designed to protect health information and comply with legal obligations
handling privacy, security, and access to information-related patient and client complaints and regulatory investigations
understanding and implementing best practices in order to help prevent privacy incidents from occurring
navigating often complex U.S.-Canada cross-border regulatory landscapes, including data transfers and multi-jurisdictional breaches
advising on the unique issues relating to the privacy of mental health information and the health information of children and adolescents
counseling on privacy issues in the clinical research context
crafting staff privacy training programs
drafting confidentiality agreements
understanding the privacy implications of corporate amalgamations, restructurings and service integration
responding to requests for access to and the correction of personal health information
assisting with privacy incidents, including cybersecurity breaches and ransomware
assisting with regulatory inquiries and investigations

Our diverse range of health sector clients includes:

hospitals, clinics and health systems
pharmacies
laboratories
ambulance services
long-term care facilities
associations
health information registries
individual health care professionals
retirement homes
community-based health organizations
technology companies developing health-related services and products

We have helped clients, including the Ontario Hospital Association (OHA) and Healthcare Insurance Reciprocal of Canada (HIROC), with submissions on new legislation including the Personal Health Information Protection Act and Freedom of Information and Protection of Privacy Act. We assist hospitals, community-based health organizations and other health care providers in responding to potential privacy and cybersecurity breaches, including advising on incident investigation, breach notification to applicable regulators and affected individuals, and incident remediation.

In the event of a privacy breach, our lawyers—who have argued the leading privacy decisions—represent hospitals in litigation, including class action defence.

BLG’s translation of Commission d’accès à l’information (CAI) Québec-specific guides

Québec’s CAI routinely publishes valuable, detailed guidance on privacy-related compliance requirements at the provincial level. In accordance with the Charter of the French Language amended by Bill 96 in 2022, these guides are only available in French, but BLG Privacy lawyers have translated some of the most comprehensive CAI publications of recent years to help organizations based outside of Québec to comply.

In the event of a discrepancy between the original French version and one of our unofficial translations to English, note that the French version shall take precedence. Sources are always listed.

Experience

Drafted guides to Freedom of Information legislation (FIPPA) and health information privacy law (PHIPA) for different classes of health services providers.
Regularly assist health information custodians to understand their obligations under provincial health information privacy laws and to respond to inquiries and investigations by the applicable Commissioner.
Analyze and advise on privacy models for regional and provincial shared records and other electronic health information systems, services and repositories (authentication/identification, e-referral, e-notification, clinical collaboration, integrated decision support).
Advise on the requirements applicable to IT services providers under health information privacy laws and draft privacy provisions for IT agreements.
Draft or review data sharing, system access and IT services agreements for hospitals, CCACs, LHINs, prescribed persons (registries), prescribed entities and health care associations, among others.
Assist with the performance and analysis of privacy and security assessments.
Participate in regional privacy officer group meetings.
Advise on the application of health information privacy laws to research.

Drafted guides to Freedom of Information legislation (FIPPA) and health information privacy law (PHIPA) for different classes of health services providers.
Regularly assist health information custodians to understand their obligations under provincial health information privacy laws and to respond to inquiries and investigations by the applicable Commissioner.
Analyze and advise on privacy models for regional and provincial shared records and other electronic health information systems, services and repositories (authentication/identification, e-referral, e-notification, clinical collaboration, integrated decision support).
Advise on the requirements applicable to IT services providers under health information privacy laws and draft privacy provisions for IT agreements.
Draft or review data sharing, system access and IT services agreements for hospitals, CCACs, LHINs, prescribed persons (registries), prescribed entities and health care associations, among others.
Assist with the performance and analysis of privacy and security assessments.
Participate in regional privacy officer group meetings.
Advise on the application of health information privacy laws to research.